Re: Question about ipchains

To: Debian Security Mailing List <debian-security@lists.debian.org>
Subject: Re: Question about ipchains
From: Paul Rushing <rushing@shreve.net>
Date: Mon, 26 Mar 2001 19:48:08 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.30.0103261946500.2137-100000@olympus.vec.shreve.net>
In-reply-to: <[🔎] 20010326162700.M841@plato.local.lan>

> > It accepts all other traffic to non-privileged ports. i prefer to
> > allow traffic without the syn flag (not initiating a new connection)
> > only, not all misc traffic, it's more secure, the way to do it is
> > like:
> > ipchains -A input -s 0/0 -d 0/0 1024:65535 -p tcp ! -y -j ACCEPT
> > ipchains -A input -s 0/0 -d 0/0 1024:65535 -p udp ! -y -j ACCEPT
> >
>
> unfortuantly this breaks irc, ftp and many other things.

It's also an error.  The -y option is only valid for tcp connections.
Since udp is a connectionless packet, that makes sense.

Reply to:

References:
- Re: Question about ipchains
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: Question about ipchains
Next by Date: Packet log
Previous by thread: Re: Question about ipchains
Next by thread: Re: Question about ipchains
Index(es):
- Date
- Thread